linux-pages.com

How to disable selinux

Without going into a lengthy discussion as to why this may be a bad idea – sometimes you just need to do it! Some of the earlier distributions to include selinux could literally tick you off with constant SE Linux security warnings, pollute the logs with them, render certain apps unusable. I myself remember several time selinux constant warnings driving me crazy and at some point one just says “Ok, how do I disable this selinux stuff?”

So…

For all ya bad, bad, undisciplined folk out there who just want to be able use their systems “like before” 🙂

How to disable SE Linux

First decide whether you want to disable SELinux ﻿﻿temporarily (e.g. to debug a problem), or to switch it off permanently. With the first approach SE Linux will be up and running again after you reboot.

Next decide whether you want to make SE Linux allow all operations but still log warnings and keep track of file labels in the background (“Permissive” mode), OR completely turn it OFF (“Disabled”).

ATTENTION: Switching SELinux off if your computer is connected to a public network (directly connected to the Internet) is NOT recommended!

In theory, a better approach is to make changes to the app policy to permit the operations that are being blocked – but this requires knowledge of writing policies and may be a steep learning curve for some people. We will NOT discuss here this approach (changing the policies). We will look at the two methods of disabling SE Linux globally.

1. Method one – switch SELinux into “Permissive” mode

This will switch the SELinux kernel into a mode where all operations are allowed, but a warning message will be logged for any operation that would otherwise be denied. The mechanism that controls the permissions/policies of the files is still active and if at some future time you decide to re-enable SE Linux it can easily be done.

NOTE: For all this to work you must be logged in as root, and have the sysadm_r role:

newrole -r sysadm_r

Temporarily…

…Switching SELinux into Permissive mode:

echo 0 >/selinux/enforce

To Re-enable SELinux :

echo 1 >/selinux/enforce

To check what SELinux mode your system is currently in:

cat /selinux/enforce

To switch SE Linux back into enforcing mode:

echo 1 >/selinux/enforce

Permanently:

Edit the file /etc/selinux/config. Look for a line like this:

SELINUX=enforcing

Change it to SELINUX=permissive, save and reboot.

2. Method two – “Disable” SELinux completely

With this approach SELinux is completely disabled in the kernel. All operations are allowed and the process which decides how to label files & processes is also disabled.

Temporarily

The only method I know of doing this temporarily is to pass boot-time parameters to the kernel – some bootloaders allow editing the kernel boot command if you press certain key (e.g. F8) at boot time. This method will be discussed further down, when I explain what to do if your system does not have the /etc/selinux/config file. For now, let’s just concentrate on the permanent method – one would rarely want to completely disable SE Linux temporarily, anyway 🙂

Permanently

Again, edit the file /etc/selinux/config, change the SELINUX=… line to

SELINUX=disabled

Reboot.

Help! I don’t have a /etc/selinux/config file!

Some Linux distros don’t have the /etc/selinux/config file. In this case you will need to edit the kernel boot line. Most systems nowadays use GRUB, so edit the /boot/grub/grub.conf file (if you’re using the GRUB boot loader. For LILO and other bootloaders apply the same logic but you will have to read their man pages to see where to find the kernel boot line to edit it).

Ok, so in the config file, on the kernel line, append either enforcing=0, to switch into permissive mode or selinux=0 to disable selinux.